Just after midnight tonight I will be rebooting first the main file server which will make everything that depends upon files halt for several minutes.  Then I will be rebooting other servers.  This is to make recent updates to glibc take effect.

Since putting fail2ban in place, nearly all of the brute force password attacks have been out of China, a handful from Viet Nam.

Hi,

The IP 58.215.172.27 has just been banned by Fail2Ban after
5 attempts against SSH.


Here are more information about 58.215.172.27:

[Querying whois.apnic.net]
[whois.apnic.net]
% [whois.apnic.net]
% Whois data copyright terms    http://www.apnic.net/db/dbcopyright.html

% Information related to '58.208.0.0 - 58.223.255.255'

inetnum:        58.208.0.0 - 58.223.255.255
netname:        CHINANET-JS
descr:          CHINANET jiangsu province network
descr:          China Telecom
descr:          A12,Xin-Jie-Kou-Wai Street
descr:          Beijing 100088
country:        CN
admin-c:        CH93-AP
tech-c:         CJ186-AP
mnt-by:         APNIC-HM
mnt-lower:      MAINT-CHINANET-JS
mnt-routes:     MAINT-CHINANET-JS
remarks:        -+-+-+-+-+-+-+-+-+-+-+-++-+-+-+-+-+-+-+-+-+-+-+-+-+-+
remarks:        This object can only be updated by APNIC hostmasters.
remarks:        To update this object, please contact APNIC
remarks:        hostmasters and include your organisation's account
remarks:        name in the subject line.
remarks:        -+-+-+-+-+-+-+-+-+-+-+-++-+-+-+-+-+-+-+-+-+-+-+-+-+-+
status:         ALLOCATED PORTABLE
changed:        hm-changed@apnic.net 20050624
source:         APNIC

role:           CHINANET JIANGSU
address:        260 Zhongyang Road,Nanjing 210037
country:        CN
phone:          +86-25-86588231
phone:          +86-25-86588745
fax-no:         +86-25-86588104
e-mail:         ip@jsinfo.net
remarks:        send anti-spam reports to spam@jsinfo.net
remarks:        send abuse reports to abuse@jsinfo.net
remarks:        times in GMT+8
admin-c:        CH360-AP
tech-c:         CS306-AP
tech-c:         CN142-AP
nic-hdl:        CJ186-AP
remarks:        www.jsinfo.net
notify:         ip@jsinfo.net
mnt-by:         MAINT-CHINANET-JS
changed:        dns@jsinfo.net 20090831
changed:        ip@jsinfo.net 20090831
changed:        hm-changed@apnic.net 20090901
source:         APNIC
changed:        hm-changed@apnic.net 20111114

person:         Chinanet Hostmaster
nic-hdl:        CH93-AP
e-mail:         anti-spam@ns.chinanet.cn.net
address:        No.31 ,jingrong street,beijing
address:        100032
phone:          +86-10-58501724
fax-no:         +86-10-58501724
country:        CN
changed:        dingsy@cndata.com 20070416
changed:        zhengzm@gsta.com 20140227
mnt-by:         MAINT-CHINANET
source:         APNIC

% This query was served by the APNIC Whois Service version 1.69.1-APNICv1r0 (WHOIS1)

Regards,

Fail2Ban

This mornings maintenance activity has been concluded.  All NFS relationships between servers are now back to version 4 so mandatory locking is functioning again.

I will be rebooting various servers tonight in order to switch NFS back to version 4 which now appears to be fixed in CentOS 6.5.

NFS version 4 supports mandatory locking, provides better overall performance, and can mutually co-exist with firewalls allowing for greater system security.

Clam-AV has been updated on all servers and the queues flushed so mail is no longer backed up in queue with the exception of mail destined to sites that are currently down.

There is a new virus propagating that until just now, clam-av was unaware of, and as a result there may be copies in your INBOX.

If you have an e-mail with an attachment eskimo.com.zip, DO NOT OPEN THE ZIP ATTACHMENT.

Two of three servers now have updated clam-AV database and will no longer accept this virus but I am having problems with a third server that is so choked with viruses I can’t get command line responses to update clam-AV.

This has caused outgoing mail to get stuck in queue, presently the two servers that are working are cleared and I am working on getting this one to update and clear itself.

Tonight’s maintenance work is done.  Tomorrow I will be taking down Debian and UUCP as well as a number of servers that are replicated and thus won’t affect service.  Other than Debian and UUCP, all of the service affecting work is done for the night.

I will be rebooting and taking machines down for imaging tonight shortly after midnight.  I should be finished by approximately 2AM.

This is necessary to install kernel upgrades that fix a possible privilege escalation exploit in the kernel as well as to image the machines after adding fail2ban so that if a restoration is necessary at some point, that will get included in the restoration.

In short, these outages will enable us to make some improvements in site security as well as to backup some recently put in place.

Comcast is now accepting mail.  There is no longer any mail stuck in queue, all outbound mail that was queued is now delivered.

I have been able to confirm via the mail log, that today mail is going through to Yahoo, ATT/SBC Global, and Frontier.

Comcast is presently blocking for reasons unknown.  I’ve applied to their feedback program so I will receive e-mails of any spam they receive from us, and have submitted a response on their unblock form.